Personal information of hundreds of thousands of Indians was recently leaked, revealing details such as full names, dates of birth, home addresses, national IDs, and much more.
The data breach was discovered by Safety Detectives and affected users of CashMama, a now-defunct money lending platform based in India. CashMama’s S3 bucket (a container of objects stored on Amazon cloud) was apparently left open, compromising personal data of thousands of Indians.
The app in question is no longer operational, for it was shut down after an instant loan app scandal. Founded in Hyderabad in 2018, CashMama offered loans between ₹3,000 and ₹5,000 within minutes. Its operators were arrested in 2020 by Indian authorities for blackmail, harassment, coercion, and financial fraud.
Using references to the company in stored emails, Safety Detectives were able to trace the bucket to CashMama. What does this imply? Quite simply, CashMama was allowing its owners to snoop on customers via mobile apps and related services.
What information was leaked?
According to Safety Detectives, over 6.5 million files were leaked through the misconfigured Amazon S3 bucket, totalling over 1 TB of data. Sensitive data of customers from at least four apps including CashMama, LoanZone/Vayloan, and MeraLoan has been compromised.
Also read: Apple & Meta Gave Sensitive User Data To Hackers Posing As Officials, Report Says
The last of leaked personal identifiers information (PIIs) is extremely long, from full names, dates of birth, home addresses, parent’s names, occupations, email addresses, IFSC codes, bank accounts details, company information, PAN numbers, photos, payment and location histories, and more.
Not just PIIs, even phone data including SMS data, contacts, device information, battery status, and fingerprint data for Vayloan were made public due to this data breach. “CashMama’s AWS S3 bucket contained nearly 650,000 SMS data files and almost 1 million SMS & contact history files — the latter exposed phone-related data for over 350,000 customers,” Safety Detectives wrote.
The threats of such lapses
There are a range of threats for those whose data has been compromised in this breach. Identity theft, phishing, scams, fraud are a few among many concerns for users whose private details were made public. Cybercriminals and bad actors could use this information to set up bank accounts in the person’s name to obtain loans and mortgages. “Victims could be left with the prospect of financial ruin,” the report said.
Also read: Paytm Payments Bank Reportedly Shared Data With Chinese Firms, Claims RBI
That’s not it! Scraped SMS conversations of people could be used by hackers to blackmail customers until the victim pays a fee.
The open S3 bucket was discovered on November 11, 2021 and affects around 200-600K users, with 6.5 million total files exposed so far… totalling 1 TB in size. CashMama’s open bucket was secured between January 11-13, 2022 after Safety Detectives got in touch with Indian Computer Emergency Response Team (CERT) and Amazon Web Services.
How can you stay safe?
Always check who you are providing personal information to. Verifying an app’s veracity and reading reviews is a good way to ensure your data’s safety. In addition, avoid giving out identification data including government ID numbers and personal preferences to any actors.
Resist the urge to click on links that promise instant loans or more and check for the website’s security (no https means no security). Keeping yourself updated about cybercrime and how criminals fool users into divulging sensitive information can go a long way in protecting your identity online.
Have you ever been a victim of phishing or scams? Share your thoughts with us in the comments below. For more in the world of technology and science, keep reading Indiatimes.com.